Assess your data potential with ATT&CK Datamap

Sample output of the assessment in the MITRE ATT&CK Navigator

While helping clients that chose to work on coverage of the ATT&CK framework I found myself lacking a solid way to represent their options, which led me to the following approach.

I wanted to create a tool to see what is already potentially possible with the available data and what data should be onboarded to cover certain techniques, if possible.

MITRE Techniques (nearly) all state one or multiple data sources, this is still very generic in terms of dealing with logs so I made an attempt at adding that layer. I wanted to create something everyone on a normal Windows box is able to run, without having to install additional software.

I’ve ended up with a toolkit that consists of an Excel file and a Powershell module, which can be downloaded here

Caveats

These scores will depict the potential value of the data source in finding more information about the technique, not everything is useful for detection rules. Some will be more useful for hunting or even only in Incident response.

This assessment will not be all covering, not will it be super exact on all levels. I’ve made the choice in favor of usability to not add weights to each individual event per technique, this would make it unusable for most people.

The Excel

Opening the file will take you to the DataSourceEvents worksheet. This is the most important page of the document in terms of scoring and maintaining.

Sample of the Excel file

The sheet contains the MITRE DataSource and Events, of which you can add as much as you like. Next to that are three subscores for Completeness, Timeliness and Availability, which result in the score for that Event.

Scoring

Scoring your events is relatively straight forward, the legend is also included in the document on the RatingLegend page. I’ve tried to make this as simple as possible by using a 0–5 system. The total score is based on (2 * Completeness + Timeliness + 2 * Availability / 5) My rationale being the timeliness is less crucial than the other two, but should obviously be accounted for in the creation of hunts or detection rules.

Weights

Since not every data source is as important to each individual technique I decided to rate them by assigning a weight to them on a scale of 0–100, where the total should sum up to 100. This workbook can be edited, the weighing is based on my knowledge and experience. Pull requests are always welcome with improvements.

Knowledge base

I’ve been keeping track of a lot of logs, most of the relevant logs I’ve added to a workbook for easy reference;

Thanks for @SBousseaden for the inspiration

The PowerShell module

This tool requires module ImportExcel,

Install it like this PS C:\> Install-Module ImportExcel

Import the module with Import-Module .\ATTACKdatamap.psd1

There are three commandlets available; Get-ATTACKdata, Invoke-ATTACK-UpdateExcel and Request-ATTACKjson.

Get-ATTACKdata

This downloads the MITRE ATT&CK Enterprise JSON file

PS C:\> Get-ATTACKdata -AttackPath ./enterprise-attack.json

The -AttackPath parameter is optional

Invoke-ATTACK-UpdateExcel

This generates all MITRE ATT&CK relevant fields into a table and creates or updates the REF-DataSources worksheet in an Excel sheet

PS C:\> Invoke-ATTACK-UpdateExcel -AttackPath .\enterprise-attack.json -Excelfile .\mitre_data_assessment.xlsx

The -AttackPath and -Excelfile parameters are optional

Request-ATTACKjson

Generates a JSON file to be imported into the ATT&CK Navigator.

Each technique contains DataSources, which are individually scored by me with a weight. The DataSourceEventTypes need to be scored per environment.

This script multiplies the respective DataSource scores and adds them to a total technique score. The generation date is added to the description.

EXAMPLE

PS C:\> Request-ATTACKjson -Excelfile .\mitre_data_assessment.xlsx -Template .\template.json -Output 2019-03-23-ATTACKcoverage.json

This is all gathered into a JSON file which can be opened here; MITRE ATT&CK Navigator/enterprise/

Sample output of the assessment in the MITRE ATT&CK Navigator

Special thanks to @Carlos_Perez, Arris Huijgen and vivami for their help in getting this working